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VIS  ENHANCEMENT  PROJECT 

This  is  CWC-85-04. 


SUMMARY 


1.1 . (U)  We  discussed  the  status  of  the  Verification 

Information  System  (VIS)  Enhancement  Project  with  a number  of 
officials  in  the  Technical  Secretariat  (TS)  on  the  margins  of 
the  June  29-July  2 Executive  Council  session.  The  project 
remains  on  schedule,  although  some  TS  officials  expressed 
concerns  and  questioned  the  willingness  of  the  contractor  to 
meet  the  TS  deadlines.  Others  asserted  that  the  contractor 
is  dictating  the  terms  and  timelines  of  the  effort  without 
adequate  oversight.  TS  officials  also  raised  concerns 
regarding  VIS  information  security,  lack  of  planning  for  and 
funding  of  VIS  implementation,  and  the  absence  of  any  plan  to 
publicize  the  effort  to  ensure  the  VIS  is  endorsed  by  States 
Parties.  In  fact,  the  Office  of  Internal  Oversight  in  the  TS 
has  recommended  that  a qualified  outside  expert  do  a project 
audit.  Ambassador  Javits  emphasized  to  Director  General 
Pfirter  and  Deputy  DG  Hawtin  that  the  U.S.  places  great 
importance  on  the  timely  completion  of  a fully  functioning 
VIS  that  addresses  all  the  concerns  of  users  in  the  TS  as 
well  as  States  Parties.  End  Summary. 


SECURITY  AND  CONFIDENTIALITY 


12 . (U)  Rob  Simpson,  head  of  the  Office  of  Confidentiality 
and  Security  (OCS)  and  a member  of  the  VIS  project  management 
team  chaired  by  the  Deputy  DG  Brian  Hawtin,  provided  his 
opinion  that  the  VIS  would  not  be  deployed  on  the  Secure 
Critical  Network  (SCN)  by  December  2004.  Thus,  the  fourth 
security  audit  team  (SAT-IV)  may  not  be  able  to  do  a full 
audit  of  SCN/VIS  before  the  end  of  their  2004  mandate. 

Simpson  stressed  adequate  security  needed  to  be  part  of  the 
development  effort,  although  this  element  of  the  VIS  project 
remains  unfunded.  Simpson  noted  that  the  OCS-requested  VIS 
requirements  have  not  been  provided  to  the  TS,  although  the 
contractor  (Sitar,  Inc.)  charged  80,000  euros  for  a paper 
explaining  why  it  was  not  going  to  provide  them. 

13.  (U)  SAT-IV  review  of  the  VIS  before  its  deployment  to  the 
SCN  would  be  useful,  agreed  Simpson,  citing  delegations' 
concerns  about  how  the  VIS  would  protect  their  highly 
sensitive  information.  Simpson  has  provided  the  head  of 
SAT-IV  (Harada,  Japan)  11  security-related  VIS  documents 
drafted  by  Information  Systems  Branch  (ISB).  Harada  is  to 
disseminate  these  documents  to  SAT-IV  for  their  consideration 
of  VIS  security  aspects.  Simpson  also  said  that  ISB 
initially  had  requested  a security  gap  analysis  from  the 
contractor  without  OCS  involvement,  and  that  currently  there 
is  a Memorandum  of  Understanding  between  OCS  and  ISB 
regarding  the  VIS  design  providing  specifications  on  how 
security  is  to  be  done. 

14.  (U)  Simpson  reported  that  the  target  of  the  initial  VIS 
project  is  the  Verification  Division's  Declaration  Branch. 
Addition  of  facility  inspections  to  the  Relational  Database 
Management  System  (RDBMS)  reporting  will  be  a follow-on 
effort.  Simpson  relayed  that  the  contractor  failed  to 
provide  a cost  estimate  and  timeline  to  the  revised  Statement 
of  Work  (SoW)  by  June  17,  delaying  negotiation  of  the 
follow-on  contract  by  a month.  (Note:  this  had  yet  to  be 
received  as  of  July  6.)  There  apparently  is  speculation  that 
the  contractor  is  balking  at  the  new  SoW,  and  wants  the 
contract  scaled  back. 

15.  (U)  The  SCN  upgrade  to  Windows  2000,  continued  Simpson, 
would  probably  take  place  in  early  fall  2004  because 
Microsoft  will  no  longer  support  NT4  as  of  January  1,  2005. 

As  OCS  does  not  expect  the  RDBMS  to  be  deployed  on  the  SCN 
until  late  2004  at  the  earliest,  there  is  no  need  to  do  it 
this  summer.  The  upgrade  will  be  completed  by  the  December 
1-6  visit  of  SAT-IV.  Simpson  noted  that  SAT-IV  would  do  a 
full  audit  of  the  SCN  at  that  time,  using  ISO  17999  to 


organize  its  approach  to  the  audit. 


VERIFICATION  DIVISION  AND  INSPECTORATE 


1.6.  ( U ) Horst  Reeps,  Head  of  the  Verification  Division,  and 
Carlos  Trentadue,  Acting  Head  of  the  Inspectorate,  both  of 
whom  are  on  the  VIS  Project  Management  Team,  expressed 
frustration  at  the  current  state  of  the  project.  Reeps 
reported  that  in  the  last  two  months,  he  and  Trentadue  have 
sent  four  memoranda  to  the  DDG,  protesting  that  after  a year, 
they  have  only  paper  charts  and  diagrams  while  what  they  need 
is  a functional  VIS.  Trentadue  added  that  although  the  two 
groups  have  provided  about  800  person-hours  to  the  effort,  as 
yet  they  have  seen  nothing  tangible.  Reeps  commented  that 
the  entire  approach  is  too  erratic,  there  are  too  many 
intermediate  levels  of  command,  and  a supervisor  desperately 
is  needed. 

1.7.  (U)  Reeps  and  Trentadue  reported  that  after  numerous 
meetings  with  the  contractor,  and  equally  numerous  requests 
for  a timeline  for  planning  purposes,  they  have  yet  to  see 
anything  specific.  They  need  to  plan  so  they  can  train 
relevant  staff  members  on  VIS  use  and  find  the  funds  and 
support  to  hire  four  or  five  Technical  Assistance  Contractors 
(TACs)  with  language  skills  and  appropriate  security 
clearances  to  manually  enter  the  historical  industry 
declaration  data  into  the  VIS.  There  currently  is  no 
provision  for  this  effort  in  the  2005  budget,  although  the 
full  implementation  of  VIS  supposedly  will  take  place  in 
mid-2005  . 


INFORMATION  SERVICES  BRANCH 


1.8.  (U)  Greg  Linden,  Chief  of  the  Information  Systems  Branch, 
presented  the  status  of  and  the  plan  for  completion  of  first 
phase  of  the  VIS  project.  He  announced  that  as  of  July  1 the 
contractor  has  provided  the  TS  four  products: 

— the  RDBMS  (completed  and  provided  to  the  TS  two  months 
ago)  ; 

— the  country  maintenance  database  which  will  be  available 
on  the  OPCW  website  with  a list  of  States  Parties  names  and 
their  TS  country  codes; 

— the  chemical  verifier  database  which  will  be  available  on 
the  OPCW  website  with  a standard  list  of  chemical  names  and 
their  CAS  numbers;  and 

— an  automated  list  of  declaration  handbook  formats  in 
pull-down  menu  format  (the  CTFS  in  TS  clothing)  which  will 
also  be  provided  to  States  Parties  via  the  OPCW  website. 

1.9.  (U)  Linden  reported  that  the  VIS  project  management  board 
meets  about  every  six  weeks,  to  assess  the  status  of  the 
project.  He  admitted  that  a detailed  schedule  had  yet  to  be 
provided  to  board  members,  but  that  this  will  be  a 
requirement  of  the  next  contract  with  Sitar,  Inc.  When  asked 
when  users  would  be  able  to  test-drive  the  system  with  mock 
data,  Linden  reported  that  Verification  Division  users  would 
have  access  in  the  September /October  timeframe.  Delegations 
would  be  able  to  check  the  VIS  system  in  late  2004. 

1.10.  (U)  When  asked  whether  an  off-the-shelf  RDBMS  might  have 
been  preferable,  Linden  responded  that  such  products  would 
not  be  able  to  incorporate  the  various  copies  of  the  data 
needed  by  the  TS : a digital  legacy  copy  with  errors  as 
provided  as  well  as  a "corrected"  copy,  which  would  be  a 
working  mirror  of  information  provided  by  States  Parties.  In 
addition,  industrial  declaration  data  builds  on  declarations 
beginning  in  1997,  and  in  order  to  be  of  value,  these 
declarations  also  must  be  manually  entered  into  the  VIS. 

This  effort  will  require  up  to  six  TAC  linguists  who  can  be 
cleared  to  handle  classified  data. 

111.  (U)  When  asked  about  the  status  of  the  TS  note 

announcing  the  VIS  project,  Linden  reported  there  had  been  an 
administrative  snafu,  but  the  draft  was  moving  through  the 
process  and  should  be  published  in  July.  We  emphasized  the 
importance  of  the  paper  for  delegations  to  build  support  in 
capitols  for  electronic  submissions  of  industry  declarations. 


AMBASSADOR’S  DISCUSSIONS  WITH  THE  DEPUTY  DG 


1[12.  (U)  Ambassador  Javits  and  delegation  reps  met  with  DDG 

Hawtin  on  July  2 and  relayed  concerns  about  the  negative 
feedback  we  had  received  on  the  margins  of  the  EC.  Javits 
inquired  about  the  status  of  the  TS  VIS  note,  and  made  clear 
that  disseminating  it  as  soon  as  possible  was  a U.S. 
priority.  The  DDG  noted  the  strides  made  by  Linden  towards 
deployment  of  a fully  operational  and  functional  VIS  that 
would  meet  the  needs  of  users  within  the  TS  as  well  as  States 
Parties.  Hawtin  asked  that  the  delegation  forget  the 
inadequate  efforts  made  between  1993  and  2002,  and  should 
focus  instead  on  the  enormous  progress  made  since  Linden 


joined  the  TS . For  over  a decade  no  progress  had  been  made, 
while  over  the  past  year,  the  TS  had  received  a functional 
RDBMS  and  will  have  a working  VIS  prototype  by  the  end  of  the 
summer . 

113.  (U)  The  DDG  characterized  the  critics  in  the  TS  as 

negative  influences  who  did  not  have  suggestions  on  how  to 
improve  the  project.  Hawtin  noted  that  a hoax  e-mail 
originating  from  someone  in  OCS  had  resulted  in  an  inquiry 
from  OCS,  ISB  and  the  Office  of  Internal  Oversight  (010)  into 
the  VIS  project,  with  the  010  recommending  that  a qualified 
outside  expert  do  a project  audit.  In  response,  the  DDG 
tasked  ISB  and  OCS  to  provide  a written  response  to  the 
charges  contained  in  the  hoax  e-mail,  to  provide  the  basis 
for  a DDG  recommendation  to  DG  Pfirter  on  the  need  for  a 
project  audit.  With  regard  to  the  Verification  Division's 
request  for  four  TACs  to  manually  enter  historical  industry 
declaration  data  into  the  RDBMS,  Hawtin  commented  that  he  did 
not  include  it  in  the  2005  budget  because,  being  a priority 
for  the  declaration  branch,  it  should  come  from  the  funds 
available  to  the  division  in  2005.  Finally,  the  DDG  promised 
to  look  into  the  draft  VIS  paper  and  ensure  that  it  be 
published  expeditiously. 


AMBASSADOR'S  DISCUSSION  WITH  DG  PFIRTER 


114.  (U)  Ambassador  Javits  met  with  the  DG  on  July  2 and 
noted  the  delegation's  request  that  the  VIS  paper  be 
published  quickly.  Javits  also  expressed  U.S.  support  for 
the  VIS  project  and  inquired  whether  funding  would  be 
available  to  complete  the  first  stage  of  the  VIS  effort.  The 
DG  was  noncommittal,  but  confirmed  that  the  project  was  a TS 
priority.  The  DG  also  agreed  to  ensure  the  VIS  paper  would 
be  disseminated  shortly. 

115.  (U)  Ito  sends. 

SOBEL 


